CVE-2026-43639 Overview
CVE-2026-43639 is a missing authorization vulnerability [CWE-862] in Bitwarden Server prior to version v2026.4.0. A provider service user can add an arbitrary organization to their provider by sending a crafted request to POST /providers/{providerId}/clients/existing. The endpoint fails to verify that the caller owns or controls the target organization. Successful exploitation results in takeover of the target organization through the provider relationship. Self-hosted installations are unaffected because the endpoint is restricted to Cloud deployments via SelfHosted(NotSelfHostedOnly = true).
Critical Impact
An authenticated provider service user can attach any organization to their provider and gain administrative control over that organization's vault, users, and data on Bitwarden Cloud.
Affected Products
- Bitwarden Server versions prior to v2026.4.0 (Cloud-hosted deployments)
- bitwarden:server component as exposed via the Admin Console API
- Self-hosted Bitwarden Server instances are not affected
Discovery Timeline
- 2026-05-11 - CVE-2026-43639 published to the National Vulnerability Database
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-43639
Vulnerability Analysis
The vulnerability resides in the ProviderClientsController within src/Api/AdminConsole/Controllers/. The AddExistingOrganization action accepts an OrganizationId in the request body and links that organization to the provider identified by providerId in the route. The pre-patch handler called TryGetBillableProviderForServiceUserOperation to validate the provider context, but performed no check confirming the calling user had rights over the target organization. Bitwarden providers are designed to manage client organizations under a Managed Service Provider model, so attaching an organization grants the provider elevated control. Combined with the absent ownership check, any user holding a provider service role on Bitwarden Cloud could pivot into arbitrary tenant organizations.
Root Cause
The controller did not enforce that the requesting user was an owner of the organization being added. There was also no validation that the target organization appeared in the user's set of addable organizations. The authorization logic relied solely on provider-side role checks while ignoring the cross-tenant boundary on the organization side.
Attack Vector
An attacker authenticates to Bitwarden Cloud with a provider service user account, identifies a target organization's GUID, and issues a single HTTP POST to /providers/{providerId}/clients/existing containing the victim organization's identifier. The server links the organization to the attacker's provider, after which the provider workflow yields administrative access over the absorbed organization.
// Security patch in src/Api/AdminConsole/Controllers/ProviderClientsController.cs
[FromRoute] Guid providerId,
[FromBody] AddExistingOrganizationRequestBody requestBody)
{
- var (provider, result) = await TryGetBillableProviderForServiceUserOperation(providerId);
+ var userId = _currentContext.UserId;
+ if (!userId.HasValue)
+ {
+ return Error.Unauthorized();
+ }
+
+ var (provider, result) = await TryGetBillableProviderForAdminOperation(providerId);
if (provider == null)
{
return result;
}
- var organization = await organizationRepository.GetByIdAsync(requestBody.OrganizationId);
+ if (!await _currentContext.OrganizationOwner(requestBody.OrganizationId))
+ {
+ return Error.Unauthorized();
+ }
+
+ var addableOrganizations = await organizationRepository.GetAddableToProviderByUserIdAsync(userId.Value, provider.Type);
+ var organization = addableOrganizations.FirstOrDefault(o => o.Id == requestBody.OrganizationId);
if (organization == null)
{
- return Error.BadRequest("The organization being added to the provider does not exist.");
+ return Error.NotFound();
Source: GitHub Bitwarden Commit 0918bfd
The patch raises the required provider role from service user to admin, enforces OrganizationOwner on the target organization, and restricts selection to organizations returned by GetAddableToProviderByUserIdAsync. A parallel fix in ProviderOrganizationsController adds the same OrganizationOwner check on the add endpoint.
Detection Methods for CVE-2026-43639
Indicators of Compromise
- Successful POST requests to /providers/{providerId}/clients/existing or /providers/{providerId}/organizations/add originating from provider service user accounts.
- Unexpected ProviderOrganization records linking provider GUIDs to organizations whose owners did not initiate the relationship.
- Audit log entries showing a provider gaining administrative access to an organization without a corresponding owner-side approval event.
Detection Strategies
- Query application logs for HTTP 200 responses to the vulnerable endpoints where the authenticated user is not listed as an owner of the supplied OrganizationId.
- Correlate provider membership changes with the absence of preceding owner-side invitations or acceptance events.
- Baseline normal provider-to-organization onboarding flow and alert on direct API calls that bypass the standard signup workflow.
Monitoring Recommendations
- Enable verbose audit logging on Admin Console controllers and forward events to a centralized SIEM.
- Monitor for repeated calls to provider endpoints with varying OrganizationId values from a single provider account, which suggests enumeration.
- Review the historical set of ProviderOrganization entries created prior to upgrading to v2026.4.0 and validate each linkage with the organization owner.
How to Mitigate CVE-2026-43639
Immediate Actions Required
- Upgrade Bitwarden Server to v2026.4.0 or later, which contains the authorization checks introduced in pull request #7372.
- Audit all existing provider-organization associations created on Cloud deployments and remove any that lack owner consent.
- Rotate credentials and API keys for organizations that were linked to unverified providers.
- Review provider service user accounts and revoke access for any that are unused or unattributed.
Patch Information
The fix is delivered in Bitwarden Server release v2026.4.0 and merged via pull request #7372. The corresponding code change is documented in commit 0918bfd. Additional context is available in the VulnCheck Bitwarden Advisory and the Bitwarden Provider Takeover Blog.
Workarounds
- Self-hosted operators are not exposed because the affected endpoint is gated by SelfHosted(NotSelfHostedOnly = true); no action is required beyond standard patching hygiene.
- For Cloud-hosted tenants awaiting upgrade, restrict provider service user account creation and enforce strict approval workflows for any provider-to-organization onboarding.
- Temporarily disable provider service user roles for accounts that do not have an active business need.
# Verify the deployed Bitwarden Server version is patched
curl -s https://your-bitwarden-host/api/version
# Expected output should show v2026.4.0 or later
# If running an older release, pull the patched image and redeploy
docker pull bitwarden/api:2026.4.0
docker pull bitwarden/admin:2026.4.0
./bitwarden.sh updateself
./bitwarden.sh update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
